In re Sony Gaming Networks & Customer Data Sec. Breach Litig., MDL No.11md2258 AJB (MDD)

CourtUnited States District Courts. 9th Circuit. United States District Court (Southern District of California)
Writing for the CourtAnthony J. Battaglia
PartiesIn re: SONY GAMING NETWORKS AND CUSTOMER DATA SECURITY BREACH LITIGATION
Docket NumberMDL No.11md2258 AJB (MDD),Civil Case No. 11cv2119,Civil Case No 11cv2120
Decision Date11 October 2012

In re: SONY GAMING NETWORKS
AND CUSTOMER DATA SECURITY BREACH LITIGATION

MDL No.11md2258 AJB (MDD)
Civil Case No. 11cv2119
Civil Case No 11cv2120

UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF CALIFORNIA

DATED: October 11, 2012



ORDER GRANTING IN PART AND
DENYING IN PART DEFENDANTS'
MOTION TO DISMISS PLAINTIFFS'
CONSOLIDATED CLASS ACTION
COMPLAINT

[Doc. No. 94]

Presently before the Court are (1) Defendants' Motion to Dismiss Plaintiffs' Consolidated Class Action Complaint; and (2) Defendants' Supplemental Request for Judicial Notice. [Doc. 94.] Plaintiffs filed an opposition, [Doc. No. 107], and Defendants filed a reply, [Doc. No. 114]. The Court held a hearing on the motion on Thursday, September 27, 2012.1 For the reasons set forth below, the Court (1) GRANTS in part and DENIES in part Defendants' motion to dismiss Plaintiffs' Consolidated Class Action Complaint; and (2) GRANTS in part and DENIES in part Defendants' Supplemental Request for Judicial Notice.

Page 2

BACKGROUND

I. Factual Background

This action arises out of a criminal intrusion into the computer network system used to provide PlayStation Network ("PSN") services. Plaintiffs, a putative consumer class, allege that Sony Computer Entertainment America, LLC ("SCEA"), Sony Network Entertainment International, LLC and Sony Network Entertainment America, Inc. (collectively, "SNE"), Sony Online Entertainment, LLC ("SOE"), and Sony Corporation of America ("SCA") (collectively, "Sony" or "Defendants") failed to follow basic industry-standard protocols to safeguard its customers personal and financial information, thereby creating foreseeable harm and injury to the Plaintiff class.

Sony develops and markets the PlayStation Portable ("PSP") hand-held device and the PlayStation 3 ("PSP") console (collectively, "consoles").2 [Compl. ¶¶ 24, 25.] Among their key features are their ability to let users play games, connect to the Internet, access the PlayStation Network ("PSN"), Qriocity, and Sony Online Entertainment ("SOE") (collectively, "Sony Online Services" or "SOS"), [Id. ¶¶ 26, 27-29]. For additional fees, the PSN also allows access to various third party services such as Netflix, MLB.TV, and NHL Gamecenter LIVE ("Third Party Services"). [Id. ¶ 31.] These additional fees are paid to the source of the service rather than to Sony. Many who subscribe to these Third Party Services can only access them through their PSN account. [Id. ¶¶ 9-11, 14, 38.] As of January 25, 2011, PSN had over 69 million users worldwide,[Id], and SOE had over 24.6 million users worldwide, [Id. ¶ 29].

When establishing accounts with PSN, Qriocity, and SOE, Plaintiffs and other Class members were required to provide personally identifying information to Sony, including their names, mailing addresses, email addresses, birth dates, credit and debit card information (card numbers, expiration dates and security codes) and login credentials ("Personal Information"), which Sony stores and maintains on

Page 3

its Network. [Id. at 35.] Sony continually monitors and records users' PSN activities, purchases and usage, and maintains this usage data on its Network.3 [Id. ¶36.]

Plaintiffs allege that on April 16 or 17, 2011, hackers accessed Sony's Network, stealing the Personal Information of millions of Sony customers, including Plaintiffs and the other Class members (the "Data Breach"). [Id. ¶ 46.] On April 17, 2011, Sony discovered that PSN and Qriocity user data had been stolen. [Id. ¶ 51.] Three days later, Sony took the PSN and Qriocity offline, stating that "[w]e're aware certain functions of PlayStation Network are down. We will report back here as soon as we can with more information." [Id. ¶ 52.] As a result of the Data Breach, Sony was forced to shut down the PSN and Qriocity for almost a month while it conducted a systems audit to determine the cause of the data breach. [Id. ¶ 97.] Meanwhile, SOE remained offline for more than two weeks. During this prolonged downtime, Plaintiffs and the other Class members were unable to access PSN, Qriocity, and SOE, unable to play multi-player online games with others, and unable to use online services available through the PSN, Qriocity or SOE. Plaintiffs and the other Class members were also unable to access and use prepaid Third Party Services. [See Id. ¶¶ 9-11, 14, 98.]

Between April 21 and April 25, 2011, while the PSN and Qriocity remained off-line, Plaintiffs claim Sony continued to misrepresent the circumstances of the breach. [Id. ¶¶ 54-55, 58.] It was not until April 26, 2011, that Sony finally told the public that the personal information had been taken. [Id. ¶ 59.] Shortly thereafter, Sony admitted that its failures "may have had a financial impact on our loyal customers. We are currently reviewing options and will update you when the service is restored." [Id. ¶ 60.] Sony also conceded that "[s]ome games may require access to PSN for trophy sync, security checks or other network functionality and therefore cannot be played offline." [Id.] On May 12, 2011, Sony announced that it would compensate SOE users in the United States by offering free identity theft protection services, certain free downloads and online services, and "will consider" helping customers who have been issued new credit cards. [Id. ¶ 66.]

Plaintiffs further allege that Sony knew, or should have known, that its security measures were inadequate and that its network was vulnerable to attack because its network had been previously

Page 4

compromised. In 2011, after a PS3 user successfully "jailbroke" his PS3 console and posted instructions for doing it, Sony sued him to chill others from doing the same.4 [Id. ¶ 69.] However, according to Plaintiffs, Sony did nothing to update its inadequate protocols or otherwise implement adequate safeguards. [Id. ¶ 75.] Moreover, in a May 1, 2011 admission, Sony Corporation Chief Information Officer Shinji Hasejima conceded that Sony's Network was not secure at the time of the data breach and that the attack was a "known vulnerability." [Id. ¶ 76.] According to Plaintiffs, this is further evidenced by Sony's decision to not install and maintain appropriate firewalls on its networks, including the Payment Card Industry Data Security Standard ("PCI DSS"), which requires anyone collecting payment card information to install and maintain a firewall and is standard in the industry. [Id. ¶ 83.] II. Procedural History

This case is before the Court pursuant to 28 U.S.C. § 1407. On August 16, 2011, the Judicial Panel on Multi-District Litigation transferred certain civil actions from multiple district courts across the country into one consolidated action. [Doc. No. 1.] On November 11, 2011, this Court appointed a Liaison Counsel and a Plaintiffs' Steering Committee ("PSC") to streamline the process. [Doc. No. 61.] Thereafter, Plaintiffs were informed that the PSC should file a Consolidated Complaint on behalf of all Plaintiffs, and the Defense could respond to the Consolidated Complaint. [Doc. No. 63.] Plaintiffs filed their Consolidated Class Action Complaint on January 31, 2012, [Doc. No. 78], and Defendants filed the instant motion to dismiss, [Doc. No. 94].5

LEGAL STANDARDS

I. Motion to Dismiss Under Rule 12(b)(1)

A Rule 12(b)(1) motion to dismiss tests whether a complaint alleges grounds for federal subject matter jurisdiction. If the plaintiff lacks standing under Article III of the U.S. Constitution, then the court lacks subject matter jurisdiction, and the case must be dismissed. See Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 101-02, 118 S. Ct. 1003, 140 L. Ed. 2d 210 (1998).

Page 5

A jurisdictional challenge may be facial or factual. Safe Air for Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir.2004). Where the attack is facial, the court determines whether the allegations contained in the complaint are sufficient on their face to invoke federal jurisdiction, accepting all material allegations in the complaint as true and construing them in favor of the party asserting jurisdiction. See Warth v. Seldin, 422 U.S. 490, 501, 95 S.Ct. 2197, 45 L.Ed.2d 343 (1975). Where the attack is factual, however, "the court need not presume the truthfulness of the plaintiff's allegations." Safe Air for Everyone, 373 F.3d at 1039. In resolving a factual dispute as to the existence of subject matter jurisdiction, a court may review extrinsic evidence beyond the complaint without converting a motion to dismiss into one for summary judgment. See id.; McCarthy v. United States, 850 F.2d 558, 560 (9th Cir.1988) (holding that a court "may review any evidence, such as affidavits and testimony, to resolve factual disputes concerning the existence of jurisdiction"). Once a party has moved to dismiss for lack of subject matter jurisdiction under Rule 12(b)(1), the opposing party bears the burden of establishing the Court's jurisdiction. See Kokkonen v. Guardian Life Ins. Co., 511 U.S. 375, 377, 114 S.Ct. 1673, 128 L.Ed.2d 391 (1994); Chandler v. State Farm Mut. Auto. Ins. Co., 598 F.3d...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT